RSA Warns Developers Not To Use RSA Products

← Back to Stories (view on slashdot.org)

RSA Warns Developers Not To Use RSA Products

Posted by timothy on Saturday September 21, 2013 @09:44AM from the surely-they-have-some-alternatives-to-suggest dept.

rroman writes "RSA has recommended developers not to use Dual_EC_DRBG random number generator (RNG), which has been known to be weak and slow since 2006. The funny thing is, that even though this has been known for so long, it is the default RNG in BSafe cryptographic toolkit, which is product of RSA."

8 of 128 comments (clear)

Min score:

Reason:

Sort:

The obligatory NSA question by hsa · 2013-09-21 09:54 · Score: 5, Interesting

Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?
1. Re:The obligatory NSA question by Jane+Q.+Public · 2013-09-21 10:11 · Score: 4, Interesting
  
  "Is NSA finding this RNG hard to crack, or did NSA tell RSA to slip in a backdoor back in 2006 - and RSA folks are trying to crawl out of the hole they dug for themselves?"
  Evidence very strongly suggests the latter.
2. Re:The obligatory NSA question by KiloByte · 2013-09-21 10:14 · Score: 4, Interesting
  
  Considering the consequences of defying the spooks, they had no real choice but to dig that hole or close the company.
  
  --
  The creatures outside looked from Alt-Right to Antifa; but already it was impossible to say which was which.
3. Re:The obligatory NSA question by Anonymous Coward · 2013-09-21 11:06 · Score: 5, Interesting
  
  The problem is that the magic numbers used in the algorithm have no known source so no one in the community can go back and find the justification for them. They are just there. I see the potential vulnerability here is that if you know the base numbers here, and since it is elliptical, that it simplifies the brute-force decryption process. How much? We don't know, yet. The problem is being looked at as I type.
4. Re:The obligatory NSA question by icebike · 2013-09-21 13:19 · Score: 5, Interesting
  
  I've never seen any examples of negative press from government sources.
  More likely the US simply developed an entire line of dedicated processors that can crack almost any code.
  This probably happened about the same time they dropped their designation of encryption as a munition.
  They already had the solution in hand.
  However, when real time continuous encryption started to be the norm, (like encrypted Skype, VPNs in routers, and SSL everywhere)
  they simply bought their way into the companies doing it, and induced them with money and contracts.
  I've stated more than once here that I believe it will be eventually revealed that the NSA fully funded Microsoft's acquisition of SKYPE.
  Probably because EBay was incompetent and not terribly interested in ripping out the un-traceable routing via small
  remotely distributed groups of nodes and many volunteer notes.
  Even if Ebay did provide access to the encryption technology, they couldn't circumvent the routing issues to provide taps.
  The first thing Microsoft did was route all traffic through their servers. No more routing via anonymous "volunteers" or off-shore
  peer-to-peer technology. It now goes direct to Microsoft and then to the other party. There was never a business case to do this.
  It was working just fine, and hasn't improved since Microsoft took over. There was ONLY ever an intelligence case to make this change.
  Why would Microsoft take on that expense for free? Because the NSA bought Skype for them.
  
  --
  Sig Battery depleted. Reverting to safe mode.
Re:No point pussy-footing around by Jane+Q.+Public · 2013-09-21 10:27 · Score: 4, Interesting

"Therefore, RSA has proven themselves untrustworthy at best, corrupt at worst, and quite likely both."
And don't forget that their "super security" ID dongles were hacked just a year or so ago.

All in all, it's looking like RSA is a corporation to avoid.
Re:No point pussy-footing around by 93+Escort+Wagon · 2013-09-21 11:39 · Score: 4, Interesting

An interesting scenario just came to mind...
1) RSA intentionally weakens their crypto at the behest of the NSA (this is fairly certain)
2) Chinese hack RSA - the only question is just how thoroughly (a known fact)
Now comes the speculation.
3) China analyzes what they got from RSA and discover the crypto is weaker than expected.
4) Quietly, China also begins to take advantage of this breakable crypto the NSA foisted on US companies and citizens.
5) China deduces why it was done and starts looking for weaknesses in other US crypto products - possibly succeeding, given they have a decent idea what to look for.
Followed by
6) China successfully and quietly penetrates most US defense contractors and financial institutions.

--
#DeleteChrome
Re:No point pussy-footing around by 93+Escort+Wagon · 2013-09-21 18:48 · Score: 3, Interesting

I think the NSA believed it was okay to weaken cryptography because they assumed they would be the only one who knew about what they'd done and specifically how they'd weakened it.
So really, what I believe is they were very clever and, at the same time, very naive... Or perhaps sophomoric and arrogant would be a better fit.

--
#DeleteChrome